[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 16 Dec 2022 20:50:11 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186 --- Comment #25 from amendlik@gmail.com --- (In reply to Cy Schubert from comment #24) I've done some reading on the FreeIPA client (which would be the server running sshd) setup and learned that PAM is only used for password authentication. Kerberos authentication is supposed to be handled by GSSAPI. So I don't believe your patch will help in this case. That should take PAM out of the flow and bring us back to what I believe is the root issue: that FreeBSD sshd reports that it cannot handle a type 20 ticket. I see you saying that "FreeBSD OpenSSH server linked against Heimdal also works", but I'm still struggling to understand that. You seem to be saying that a type 20 ticket will be accepted if that ticket was generated by a FreeBSD/MIT KDC, but if it was generated by a FreeIPA/MIT KDC, it will report "encryption type 20 not supported". Can you help me understand this apparent contradiction? How does the same FreeBSD sshd in one case say "type 20 not supported" and in another case work fine with a type 20 ticket? When you say your sshd is "linked against Heimdal", do you mean the Heimdal from the base system, or a newer version? -- You are receiving this mail because: You are the assignee for the bug.